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IN THE CLAIMS 

1 . (Original) A method of protecting an electronic network, comprising: installing one or 
more agents within components of the electronic network; performing an initial assessment of 
the electronic network to determine normal activity; monitoring the electronic network for 
abnormal activity using the agents; and protecting the electronic network by blocking the 
abnormal activity using the agents. 

2. (Currently Amended) The method of claim 1 , wherein the step of installing comprises the 
step of installing a type 2 super peer agent for authenticating, authorizing and reauthorizing the 
agents. 

3 . (Original) The method of claim 1 , further comprising logically connecting at least one of 
the agents into one or more cooperative agent cells. 

4. (Original) The method of claim 3, wherein the step of installing fiirther comprises: 
establishing bidirectional communication protocols for agent communication within the 
cooperative agent cells; delegating one or more agents in the cooperative agent cells to have 
bidirectional communication with another delegated agent; and establishing bidirectional 
communication protocols for each delegated agent to communicate with another delegated agent. 

5. (Original) The method of claim 1, wherein the step of installing further comprises: 
broadcasting a request for agents to submit to authentication; and authenticating submitted 
agents. 

6. (Original) The method of claim 3, wherein the step of logically cormecting further 
comprises self-organizing at least one of the agents into each of the cooperative agent cells. 

7. (Original) The method of claim 4, wherein the step of establishing further comprising 
communicating via at least one covert communication protocol. 

8. (Original) The method of claim 1, wherein the step of perfomiing an initial assessment 
comprises: mapping systems, communication ports and attached devices of the electronic 
network; and establishing normal activity of the systems, communication ports, and attached 
devices. 

9. (Original) The method of claim 1, wherein the step of monitoring comprises: non- 

destructively intercepting communications on the electronic network; collecting events from the 
intercepted communications; and determining if the events indicate abnormal activity. 
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10. (Original) The method of claim 1, wherein the step of protecting comprises one or more 
of: luring a malicious agent that causes abnormal activity into a false appearance of success; 
planting instructions on information retrieved by the malicious agent to assist in identifying the 
origins of the malicious agent; isolating electronic network components which have been 
compromised by the maHcious agent; attacking the malicious agent; fonnulating a strategy to 
eliminate recently discovered vulnerabilities in the electronic network; installing patches to 
eliminate vulnerabihties in the electronic network; reassessing the electronic network to detect 
abnormal operations; and investigating abnormal operations of the electronic network. 

1 1 . (Original) The method of claim 3, further comprising promoting one of the agents in each 
of the cooperative agent cells to a cell delegate. 

12. (Original) The method of claim 11, further comprising: promoting a second agent in each 
of the cooperative agent cells to a type 1 super peer agent; authenticating new agents with the 
type 1 super peer agent; and communicating between the cooperative agent cells and a command 
and control console via the cell delegate to protect the network from malicious activity. 

13. (Original) The method of claim 3, the agents and cooperative agent cells being 
configured for independent and collaborative investigation of the electronic network, isolation of 
compromised components of the electronic network, and defense of the electronic network. 

14. (Original) A system for protecting an electronic network, comprising: a plurahty of 
agents with the electronic network, the agents being grouped into at least one cooperative agent 
cell having one cell delegate; a communications protocol within each cooperative agent cell, for 
(a) communicating between agents of the cooperative agent cell, and (b) communicating with 
cell delegates external to the cooperative agent cell; means for determining normal activity levels 
of the electronic network; means for detecting malicious activity; means for isolating 
compromised components of the electronic network; means for counter-intelligence to reveal the 
origin of the malicious activity; means for repairing damage caused by the maHcious activity; 
means for determining vulnerabilities in the cuiTent protection provided by the plurality of 
agents; and means for improving protection to resist future attack on the electronic network. 

1 5 . (Currently Amended) A system for event monitoring, comprising: 
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an electronic network, havinR cooperative agent network for performing an initial assessment of 
the electronic network, for collecting events; 

one or more event correlation engines, each event con-elation engine being connected to the 
electronic network and having a receive event handler for receiving events addressed to the event 
correlation engine; and 

one or more event correlation modules, each of the event coirelation modules having an event 
pattern that defines events of interest, each of the correlation modules receiving all events 
received by the event correlation engine, the event correlation module correlating the events of 
interest. 

1 6. (Original) wherein the event correlation module is a simulated armealing correlator 
module. 

1 7. (Original) The system of claim 1 6, the simulated annealing correlator further comprising: 
recorded events; a simulated annealing correlator engine; heuristics; and a correlation threshold; 
wherein the simulated annealing correlator engine utiUzes the heuristics and the correlation 
threshold to coirelate the events received by the event correlation engine with the recorded 
events, the correlated events being added to the recorded events. 

1 8 . (CuiTently Amended) A method of pattern recognition, comprising: 

performing an initial assessment of the electronic network, 

collecting electronic network events; sampling the electronic network events with one or more 
event correlation engines; 

passing sampled electronic network events fi-om each event correlation engine to one or more 
event correlator modules within each event correlation engine; 
comparing events in each of the event correlator modules by sampling the events, 
determining if any of the events matches an event pattern, and, if there is a match, 

creating a new event armouncing the match and passing the new event to the associated event 
correlation engine for electronic network distribution; 
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and determining patterns in events using a simulated annealing correlator, determining if the 
pattern is important, and, if so, creating a new event announcing the important pattern and 
passing the new event to the associated event coiTelation engine for network distribution. 
19. (Original) The method of claim 1 8, wherein the step of sampling further comprises 
sampling all of, or less than all of, the electronic network events. 
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